What is the MOST critical finding when reviewing an organization's information security management?
What is the PRIMARY purpose of performing a parallel run of a new system?
Which of the following should be the MOST important consideration when prioritizing IS audit activities
Which of the following is a KEY consideration to ensure the availability of nodes in an active-active application cluster configuration?
What is an IS auditor's BEST recommendation to strengthen security guidelines in order to prevent data leakage from the use of smart devices?
During an audit of an organizations intranet, it is discovered that users are not deleting their local web Browser caches on a regular basis This practice will result In the risk of
disclosure of information
An organization plans to deploy Wi-Fi location analytics to count the number of shoppers per day across its various retail outlets. What should the IS auditor recommend as the FIRST course of action by IT management?
Which of the following provides the BEST indication that IT key performance indicators (KPls) are Integrated into management practices?
Which of the following Is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A system undergoing acceptance testing is still subject to programming changes. This should have been prohibited in the acceptance test strategy through specifications of:
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
A system was recently promoted to the production environment. An IS auditor has been asked by senior management to update the annual IT audit plan. Which of the following should be the auditor's NEXT course of action?
During a post-implementation review, a step in determining whether a project met user requirements is to review the:
An IS auditor is assessing a recent migration of mission critical applications to a virtual platform. Which of the following observations poses the GREATEST risk to the organization?
An IS auditor is reviewing an organization's sales and purchasing system due to ongoing data quality issues. An analysis of which of the following would provide the MOST useful formation to determine the revenue loss?
Which of the following is the GREATEST benefit of implementing an IT governance strategy within an organization?
Which of the following is the GREATEST risk of cloud computing?
As part of a follow-up of a previous year’s audit, an IS auditor has increased the expected error rate for a sample. The impact will be:
To preserve chain-of-custody following an internal server compromise, which of the following should be the FIRST step?
An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?
During the course of an audit, an IS auditor's organizational independence is impaired. The IS auditor should FIRST
Which of the following test approaches would utilize data analytics to validate customer authentication controls for banking transactions?
To create a digital signature in a message using asymmetric encryption, it is necessary to:
Which of the following would BEST provide executive management with current information on IT related costs and IT performance indicators?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor s BEST course of
When determining the specifications for a server supporting an online application using more than a hundred endpoints, which of the following is the MOST important factor to be Considered?
An IS auditor is reviewing the results of a business process improvement project. Which of the following should
be performed FIRST?
An IS auditor previously worked in an organization s IT department and was involved with the design of the business continuity plan (BCP). The IS
auditor has now been asked to review this same BCP. The auditor should FIRST.
TION NO: 93
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post implementation review, which of the following would be the KEY procedure for the IS auditor to perform?
The purpose of data migration testing is to validate data:
An organization with high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?
During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?
An IS auditor has identified that some IT staff have administrative access to the enterprise resource planning (ERP) application, database, and
server. IT management has responded that due to limited resources, the same IT staff members have to support all three layers of the ERP
application. Which of the following would be the auditor's BEST recommendation to management?
Which of the following is the MAIN purpose of implementing an incident response process?
An IS auditor is reviewing the process followed in identifying and prioritizing the critical business processes. This process is part of the:
The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?
Which of the following is the GREATEST risk posed by denial-of-service attacks?
During a post-incident review of a security breach, what type of analysis should an IS auditor expect to be
performed by the organization's information security team?
Which of the following is MOST important for the successful establishment of a security vulnerability
As part of a quality assurance initiative, an organization has engaged an external auditor to evaluate the internal IS audit function. Which of the following observations should be of MOST concern?
During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention tool. It was noted that the tool will be configured to alert IT management when large files are sent outside of the organization via email. What type of control will be tested?
In which of the following cloud service models does the user organization have the GREATEST control over the accuracy of configuration items in its configuration management database (CMDB)?
The MOST effective method for an IS auditor to determine which controls are functioning in an operating system is to:
An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?
A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?
Which of the following is the MOST important step in the development of an effective IT governance action plan?
During the planning stage of compliance audit, an IS auditor discovers that the bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What would the auditor do FIRST?
An IS auditor is planning a risk-based audit of the human resources department. The department uses separate systems for its payroll, training
and employee performance review functions. What should the IS auditor do FIRST before identifying the key controls to be tested?
Which of the following is the KST source of information for assessing the effectiveness of IT process monitoring?
An IS auditor determines that a business impact analysis (BIA) was not conducted during the development of a
business continuity plan (BCP). What is the MOST significant risk that could result from this situation?
Which of the following concerns is BEST addressed by securing production source libraries?
An audit report notes that terminated employees have been retaining their access rights after their departure.
Which of the following strategies would BEST ensure that obsolete access rights are identified in a timely
An organization is considering replacing physical backup tapes stored offsite with real-time on-line backup to a storage area network (SAN) located in the primary data center. Which of the following is the GREATEST risk?
Which the following is MOST critical for the effective implementation of IT governance?
An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
Which of the following observations should be of concern to an is auditor in the fieldwork stage of a procurement audit?
Which of the following should an IS auditor recommend to facilitate the management of baseline requirements for hardening of firewalls?
What is the PRIMARY reason for including a clause requiring source code escrow in an application vendor agreement?
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor could FIRST:
Which of the following would be of GREATEST concern to an IS auditor reviewing an organization's security incident handling procedures?
A security regulation requires the disabling of direct administrator access. Such access must occur through an intermediate server that holds administrator passwords for all systems d records all actions. An IS auditor s PRIMARY concern with this solution would be that:
Which of the following is an advantage of using electronic data interchange (EDI)?
An IS auditor is reviewing environmental controls and finds extremely high levels of humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from this condition?
Which of the following IS audit findings should be of GREATEST concern when preparing to migrate to a new core system using a direct cut-over?
An IT department installed critical patches provided by the vendor to HR production servers. Immediately after the installation was completed, the HR department called to report that none of its users could access the system, what should be the IT department's FIRST step in addressing this issue?
In an online application, which of the following would provide the MOST information about the transaction audit
Which of the following is a prerequisite to help ensure that IS hardware and software support the delivery of mission-critical functions?
Which of the following is the GREATEST benefit of implementing an incident management process?
Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?
Which of the following is an analytical review procedure for a payroll system?
Which of the following would BEST prevent data from being orphaned?
Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?
Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the
following would provide the MOST assurance to the IS auditor that management is adequately balancing the
needs of the business with the need to manage risk?
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up
activities for agreed-upon management responses to remediate audit observations?
When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor should FIRST review;
Which of the following would represent an acceptable test of an organization s business continuity plan?
Which of the following should be an IS auditor's PRIMARY consideration when reviewing a project to outsource data center hosting services?
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:
Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic analysis following incidents of suspicious activities on a server?
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
An organization is in the process of rolling out a new inventory software tool to replace a suite of verified individual spreadsheet-based inventory solutions. Which of the following is MOST important to help ensure ongoing data integrity within the new inventory tool?
Which of the following is the BEST development methodology to help manage project requirements in a rapidly changing environment?
An IS auditor is performing a routine procedure to test for the possible existence of fraudulent transactions.
Given there is no reason to suspect the existence of fraudulent transactions, which of the following data
analytics techniques should be employed?
Which of the following is the PRIMARY criterion for identifying an incident severity level?
When evaluating a protect immediately prior to implementation, which of the following would provide the BEST evidence that the system has the required functionality?
An IS audit of an organization's data classification policies finds some areas of the policies may not be up-to-date with new data privacy regulations What should management do FIRST to address the risk of noncompliance?
While reviewing an independent audit report of a service provider, an IS auditor notes that the report includes a reference to a vice organization that provides data center hosting services. Which of the following is the MOST efficient way for the auditor assess the data center's physical access controls?
Which of the following BEST demonstrates to an IS auditor that an organization has implemented effective risk management processes?
Which of the following is MOST important to consider when creating audit follow-up procedures?
Which of the following risk management activities is MOST important to complete before implementing an enterprise resource planning (ERP) system?
A recent audit concluded that an organization’s information security system was weak and that monitoring would likely fail to detect penetration. Which of the following would be the MOST appropriate recommendation?
During an annual audit an IS auditor finds there is no written department and users The auditor's FIRST step should be to:
When would an IS auditor expect to see testing completed for a protect using agile methodology?
What would be an IS auditor's BEST course of action when a critical issue outside the audit scope is discovered on an employee workstation?
An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. The auditor's PRIMARY concern should be whether:
When reviewing an organization's security awareness program, it is MOST important to verify that training occurs:
Which of the following is the MOST critical element impacting the success of an information security program?
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?
What is the PRIMARY reason for hardening new devices before introducing into a corporate network?
Which of the following should be included in a business impact analysis (BIA)
The practice of performing backups reflects which type of internal control?
In which of the following sampling methodologies does each member of the population have a known nonzero probability of being selected?
An organization experienced a domain name system (DNS) attack caused by default user accounts not being removed from one of the servers. Which of the following would have been the BEST way to mitigate the risk of this DNS attack1?
Which of the following backup schemes is the BEST option when storage media is limited?